Important Security Vulnerabilities in Modern “Smart Cars”

In February of this year, U.S. Senator Edward Markey released a report warning citizens of the very real possibility that modern cars and vehicles could be targets of cyber attacks. Called, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk” [PDF], Markey posed tough cybersecurity questions to auto manufacturers, questions that he felt they had been ignoring.

As you might expect, there were some scary findings. Nearly 100% of vehicles on the market today come with stock wireless technologies that could easily be targets for hackers looking to intrude on someone’s privacy. Out of those questioned, only 2 automakers were able to give the slightest explanation for what would happen should an incident take place. In fact, many of the manufacturers seemed confused by Markey’s questions. They could not provide any indication that their customers’ data was being protected despite the fact that it was often being transmitted to third parties (with the vague purpose of “improving customer experience”). That’s data that customers aren’t even told is being collected and that they cannot opt out of sharing without completely disabling important features (like navigation).

Of course, that doesn’t mean that we should stop buying and using modern vehicles. After all, most of the same dangers automatically come with owning a smartphone or an email account! So how do you, as a cyber savvy driver, deal with this new set of security vulnerabilities?

Syncing Data

You’re renting a car to go on a nice vacation or business trip, and you want to listen to your favorite podcast or playlist along the way. You plug in your device and allow it to sync to the car’s “infotainment” system, then hit play and settle into the drive.

But wait a second. What if your device holds other information, like contact details? The system could auto-sync that information to its internal operating system, which could make it accessible by future renters of the same car! Do you really want to risk that? It’s much safer to use an auxiliary cable to connect your device to the vehicle. True, you might not be able to use the car’s fancy touch screen to change the song, but is it really worth it?

In the same vein, you might also want to ensure that any information you’ve synced to your personal vehicle is completely erased from the system before selling or trading it in. Many vehicles keep more than your contact list onboard; the system might also keep places you’ve plugged in through navigation, including your home address!

Malware

In 2010, BMW became the first to integrate third party apps into its infotainment system. Since then, more automakers have been moving towards the same. This means more functionality and variety for your driving experience, which on the surface is a good thing.

But in the cybersecurity industry, we are already well aware of how quickly mobile app stores became hotbeds for malware distribution. In general, automakers require an approval process before the apps can be available to their customers, but remember that most of the app stores on mobile devices are supposed to approve apps first, too, yet malware still sneaks through the cracks.

Thus, the same rules apply: double check the company who created the app, and research reputations thoroughly before you download! Never download software updates for your system that come from a third party website, and if it looks at all suspicious, it’s best to believe that it’s unsafe.

Think Before Plugging In

Many cars have features that allow you to load navigation maps from DVDs, to charge and sync items via USB ports, and to play music from SD cards, but you need to take the same precaution with this as you do with your computer. Never use navigation DVDs that didn’t come directly from the manufacturer, and any SD cards or storage devices you plug in should either belong to you or to someone you know very well.

Check the Cybersecurity Rating

Charlie Miller and Chris Valasek presented an important study on the vulnerabilities in modern cars at Black Hat last year, and it caused an appropriate stir. They’ve demonstrated how easy it is to hack into different vehicles multiple times. You might remember the major news story about the two shutting down a Jeep Cherokee on the highway this past summer. Yet instead of using their knowledge for ill, they’ve chosen to exploit the inherent vulnerabilities of the “smart car” in order to report it to the manufacturers before the bad guys can harm innocent people. Some have listened, some have not. (Senator Markey took initiative for his report after hearing their concerns, and international automaker coalitions have resolved to work together to do better in the future.)

Unsurprisingly, they found that vehicles with fewer computerized functions and more segmentation between features (i.e. the radio can’t talk to the brakes) were less likely to get attacked by a hacker. After testing several models, they put together a chart of “Car Ratings” which you can view on page 89 of their report, Survey of Remote Attack Surfaces. The 2014 Jeep Cherokee, 2014 Infiniti Q50, and 2015 Escalade are all the most likely to be hacked, while the 2014 Dodge Viper, 2014 Audi A8, and 2014 Honda Accord are least likely. Does your vehicle show up on the list, and does it measure up?

Eric Chiu, president and co-founder of security group HyTrust, is quoted as saying that not only are Senator Markey’s findings considered more than relevant, but also that, “In the dawn of the Internet of Things, security has to be a top priority given how much our daily lives are now being tracked by our connected devices, and lives are at stake with computerized cars.”

Many in the auto industry are now facing the facts and banding together to both combat the cybersecurity flaws in their vehicles’ design and to create methods to share intelligence of security threats and vulnerabilities, but it’s still ultimately up to you to be aware. Technology is now so interconnected in our lives that we cannot possibly give it up. But that being said, it is still absolutely our responsibility to consume that tech with an informed understanding of the risks involved.

Kayley manages our growing footprint on the web and develops marketing strategies to both keep us current & help us reach more people who might benefit from our message. A professionally trained artist and verifiable “weird girl,” she has 5 pet-children, cooks unbelievably good food, and can out-lift you at the gym.